-LRB- CNN -RRB- -- Savvy Android users tend to be wary of installing apps that request seemingly unnecessary permissions . When an app wants access to data or functions on your phone , such as your contacts list or the ability to send text messages , it can signal potential security or malware risks .

But Android apps that request no permissions at all -LRB- such as this Magic 8 ball app -RRB- are generally considered pretty free of security risks .

But are they ?

Earlier this month , a test conducted by the Leviathan Security Group showed that even `` no-permissions '' Android apps can access potentially sensitive data on your phone -- and transmit that data elsewhere via your phone 's Web browser .

Specifically , Paul Brodeur of Leviathan created a test app that requested no permissions and installed it on some Android devices . He was able to scan the phone 's memory card -LRB- SD card -RRB- and display a list of all non-hidden files on it .

`` While it 's possible to fetch the contents of all those files , I 'll leave it to someone else to decide what files should be grabbed and which are going to be boring , '' he wrote .

He also could see which apps were installed on the phone , and list some files belonging to those apps . He observed that this might allow nefarious people to find and exploit permission-related vulnerabilities in certain apps . Last year the Skype Android app presented this kind of problem . -LRB- Skype fixed that problem . -RRB-

And for phones that operate on GSM cell networks -LRB- in the U.S. , that 's AT&T and T-Mobile -RRB- , Leviathan 's test app was able to read identifying information about the phone from the SIM card , plus some other information .

Finally , since no-permissions apps can launch the phone 's Web browser , that provides a potential route to transmit some data from the phone .

While Brodeur 's test app was designed to seek out such security lapses . `` It 's trivial for any installed app to execute these actions without any user interaction , '' he wrote .

While this may sound worrying , do n't panic . What Leviathan discovered probably should concern Android app developers and Google , rather than consumers who use Android phones and tablets .

`` What this research found is really little cracks in Android -- not great big security holes you could drive a truck through , '' said Kevin Mahaffey , co-founder and chief technical officer of Lookout Mobile Security , a leading provider of security apps and services for Android devices . `` That 's why this kind of research is so valuable -- it ultimately helps make Android more secure . ''

According to Mahaffey , the bigger problem is not that people might maliciously exploit these security cracks to steal from users or compromise their phones -- but rather that many app developers are `` sloppy . ''

For instance , developers sometimes build apps that store user data -LRB- such as usernames and passwords -RRB- in ways that could be easily accessed through the security cracks Leviathan found . Or the app might open the phone 's Web browser to allow functionality that could be handled other ways .

For instance , TheVerge.com reported that the photo gallery that comes pre-installed on Android phones by Samsung , LG , and some other manufacturers stores unencrypted copies of complete addresses associated with photos . They found in a completely unencrypted file `` a list of locations which matched those of our home , work , family , significant other , friends , and even holiday destinations . ''

These were not GPS coordinates , but rather full addresses : door number , street , town , zip code , and country . TheVerge noted that this address data apparently was generated by Picasa Web Albums . Google acquired Picasa in 2004 .

`` There is no reason for the application to be caching locations of private photos completely unencrypted , '' wrote Aaron Souppouris for The Verge . `` This was information that we 'd never given Google , either on a phone or within Picasa . To make matters worse , Picasa Web-Album syncing had been switched off a week before the information was found . ''

There 's not a lot that the average consumer can do in terms of spotting whether apps are storing unnecessary data in insecure ways .

The best practice is still to notice which permissions apps require before installing them , do n't install apps that seem to require too many permissions , and report to the developer any suspicious activity by an app .

If the developer is not responsive or seems evasive or shady when you report suspicious app behavior , Mahaffey advises alerting Google 's Android security team by sending an e-mail to security@android.com .

`` That channel is mainly used by developers , but it 's worth letting them know if you have concerns about an app and you are n't getting useful responses from the developer , '' he said .

The opinions expressed in this post are solely those of Amy Gahran .

@highlight

`` No-permission '' Android apps can access potentially sensitive data on your phone

@highlight

The bigger problem is n't malicious exploitation , but rather that app developers are `` sloppy ''

@highlight

Do n't install apps that require too many permissions , and report any suspicious activity